Discussion:
Linux based "not Active Directory"
(too old to reply)
Richard Cottrill
2008-05-07 07:14:11 UTC
Permalink
I'd like to pull together a bunch of network admin services together in an
integrated way. The centralised lookup functions every distributed
environment needs - DHCP, DNS, LDAP (authorisation / general info lookup),
and some sane authentication scheme (perhaps Kerberos - sanity depends on
where you're standing). The only neat solution I'm aware of is Windows
Active Directory. I guess Novell once had a competitor (may still do). Is
there a Linux system to manage a similar feat?

To clarify - I don't want an Active Directory implementation neccesarily. I
would like something that performs similar functions though. AD (for all
it's faults) has a very slick integration / implementation of LDAP,
Kerberos, DHCP, and DNS. I want one.

Any ideas? Has this all been left to Microsoft?

Richard
Bruce Richardson
2008-05-07 10:03:36 UTC
Permalink
Post by Richard Cottrill
To clarify - I don't want an Active Directory implementation neccesarily. I
would like something that performs similar functions though. AD (for all
it's faults) has a very slick integration / implementation of LDAP,
Kerberos, DHCP, and DNS. I want one.
Any ideas? Has this all been left to Microsoft?
Try Red Hat Directory Server or it's free beer Fedora equivalent.

http://www.redhat.com/directory_server/
http://directory.fedoraproject.org/

Ticks all your boxes, I think.
--
Bruce

Those who cast the votes decide nothing. Those who count the
votes decide everything. -- Joseph Stalin
Daniel P. Berrange
2008-05-07 11:53:38 UTC
Permalink
Post by Bruce Richardson
Post by Richard Cottrill
To clarify - I don't want an Active Directory implementation neccesarily. I
would like something that performs similar functions though. AD (for all
it's faults) has a very slick integration / implementation of LDAP,
Kerberos, DHCP, and DNS. I want one.
Any ideas? Has this all been left to Microsoft?
Try Red Hat Directory Server or it's free beer Fedora equivalent.
http://www.redhat.com/directory_server/
http://directory.fedoraproject.org/
Ticks all your boxes, I think.
IMHO, you're better off going for FreeIPA which includes Fedora Directory
Server as one of its integrated components, adding a much nicer admin UI
and command line toolset, as well as adding in Kerberos for authentication


Dan.
--
|: http://berrange.com/ -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/ -o- http://gtk-vnc.sourceforge.net :|
Daniel P. Berrange
2008-05-07 11:52:14 UTC
Permalink
Post by Richard Cottrill
I'd like to pull together a bunch of network admin services together in an
integrated way. The centralised lookup functions every distributed
environment needs - DHCP, DNS, LDAP (authorisation / general info lookup),
and some sane authentication scheme (perhaps Kerberos - sanity depends on
where you're standing). The only neat solution I'm aware of is Windows
Active Directory. I guess Novell once had a competitor (may still do). Is
there a Linux system to manage a similar feat?
To clarify - I don't want an Active Directory implementation neccesarily. I
would like something that performs similar functions though. AD (for all
it's faults) has a very slick integration / implementation of LDAP,
Kerberos, DHCP, and DNS. I want one.
Take a look at our FreeIPA project. It integrates Kerberos, FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.

http://freeipa.org/page/Main_Page

Version 1.0 was just recently a week ago

https://www.redhat.com/archives/freeipa-devel/2008-April/msg00120.html

In the future it'll also integrate certificate management, auditing and
policy management. All the RPMs are available in Fedora 8/9 and it is
seriously trivial to get up & running - we're using it in our virtualization
management app oVirt to provide our sauthentication services.

The FreeIPA software will also soon be available as a supported product
called Red Hat Enterprise IPA, if you need that kind of thing for
deployment.


Regards,
Dan.
--
|: http://berrange.com/ -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/ -o- http://gtk-vnc.sourceforge.net :|
Bruce Richardson
2008-05-07 12:32:31 UTC
Permalink
Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos, FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
http://freeipa.org/page/Main_Page
I bet that site disappoints a lot of hopeful CAMRA members.
--
Bruce

Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.
Richard Jones
2008-05-07 13:08:40 UTC
Permalink
Post by Bruce Richardson
Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos, FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
http://freeipa.org/page/Main_Page
I bet that site disappoints a lot of hopeful CAMRA members.
Haha, I wonder if they were aware of the homonym? Having met a few of
them when I was over in the US last time, I suspect they are :-)

Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - ***@gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
David Damerell
2008-05-08 13:29:14 UTC
Permalink
Post by Bruce Richardson
Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos, FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
http://freeipa.org/page/Main_Page
I bet that site disappoints a lot of hopeful CAMRA members.
Not if it's Greene King IPA. Blech!
--
David Damerell <***@chiark.greenend.org.uk> Distortion Field!
Today is Second Monday, May.
--
Gllug mailing list - ***@gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
Vidar Hokstad
2008-05-07 13:08:21 UTC
Permalink
Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos,
FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
FreeIPA looks interesting, but when I looked at the webpage, my first
reaction was buzzword / "consultant speak" overload, followed by the
thought "but what does it actually DO?" and I can't seem to find much
in terms of hard facts on the site unless I go diving into the source
code.

I.e. what would it actually buy me for a small to medium sized
installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?
A nicer management interface is nice and all, but you have to have a
pretty large shop before things change frequently enough that it's a
big deal (and the same before multi-master replication becomes
important). From the web page I can't even tell if FreeIPA has feature
parity with the above combination in terms of what I could do with it.
I can see there are some things that FreeIPA supports that I _can't_
do with the above, but unfortunately none of those things matters to
me (if I had a larger install it would, though).

More specifically, I noticed Debian-based distro's were noticeably
absent from the client installation docs, and the docs that are there
seems to say very little about what the client installation actually
covers (in terms of what applications will actually be able to use the
ipa client support). Any plans for Debian support on the client, or at
least some info on what needs to be in place?

When setting up OpenLDAP here, the biggest problems we ran into was
not the server, by the way, but getting all the different apps we use
that rely on identity and authorization to actually use PAM or the
LDAP server instead of a myriad of other authentication methods. That
included building a number of new packages and a ton of updates, and
assorted random breakage (our mail server suddenly decided it needed
an existing home directory to deliver mail to the users after we made
it use LDAP to check for the existence of a user account instead of
it's own table, for example) that took a while to sort through. That's
something I really hope most/all distro's put more effort into
improving...

I'd really like to hear more about what the actual benefits of FreeIPA
are, though... At the moment just getting most apps here reconfigured
to use LDAP is/will be a huge improvement, but anything that makes
managing the whole thing less painful is very attractive..

Vidar
--
Vidar Hokstad
Technical Director
Aardvark Media Limited
Mobile: 0795 867 7857
Direct Dial: 020 7183 2740

2 Fulham Business Exchange
The Boulevard
Imperial Wharf
London
SW6 2TL
Richard Jones
2008-05-07 13:17:54 UTC
Permalink
Post by Vidar Hokstad
Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos,
FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
FreeIPA looks interesting, but when I looked at the webpage, my first
reaction was buzzword / "consultant speak" overload, followed by the
thought "but what does it actually DO?" and I can't seem to find much
in terms of hard facts on the site unless I go diving into the source
code.
Yeah, I loathe those sorts of sites as well, although FreeIPA.org
isn't the worst by any means.

Your best bet is probably just to install it. In Fedora 8 or 9 it's
just a matter of doing 'yum install ipa-server', followed by
'less /usr/share/doc/ipa*/*'.

Despite what Dan said, using Kerberos isn't exactly simple (although
FreeIPA is by far the simplest I've seen). I've long come to the
conclusion that Kerberos tries to be deliberately obscure.
Post by Vidar Hokstad
I.e. what would it actually buy me for a small to medium sized
installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?
Kerberos, proper integration with SELinux, plus the addition of a
certain amount of "just working"-ness.
Post by Vidar Hokstad
More specifically, I noticed Debian-based distro's were noticeably
absent from the client installation docs, and the docs that are there
seems to say very little about what the client installation actually
covers (in terms of what applications will actually be able to use the
ipa client support). Any plans for Debian support on the client, or at
least some info on what needs to be in place?
We work closely with Debian when they need to package software that we
(Red Hat) write. In this case no one's come up with a WNPP for
FreeIPA yet. But if you want to go through the usual process then
I'll help out where I can.
Post by Vidar Hokstad
When setting up OpenLDAP here, the biggest problems we ran into was
not the server, by the way, but getting all the different apps we use
that rely on identity and authorization to actually use PAM or the
LDAP server instead of a myriad of other authentication methods. That
included building a number of new packages and a ton of updates, and
assorted random breakage (our mail server suddenly decided it needed
an existing home directory to deliver mail to the users after we made
it use LDAP to check for the existence of a user account instead of
it's own table, for example) that took a while to sort through. That's
something I really hope most/all distro's put more effort into
improving...
Yup, this is exactly what the IPA team is working on. Their efforts
are obviously focused on Fedora/RHEL first.

Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - ***@gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
Daniel P. Berrange
2008-05-08 14:04:03 UTC
Permalink
Post by Vidar Hokstad
Post by Daniel P. Berrange
Take a look at our FreeIPA project. It integrates Kerberos,
FreeRadius
and Fedora Directory Server into one slick application with a very nice
web management interface & command line toolset.
FreeIPA looks interesting, but when I looked at the webpage, my first
reaction was buzzword / "consultant speak" overload, followed by the
thought "but what does it actually DO?" and I can't seem to find much
in terms of hard facts on the site unless I go diving into the source
code.
There's a reasonable overview of the concepts / ideas here:

http://freeipa.org/page/IpaConcepts
Post by Vidar Hokstad
I.e. what would it actually buy me for a small to medium sized
installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?
A nicer management interface is nice and all, but you have to have a
pretty large shop before things change frequently enough that it's a
big deal (and the same before multi-master replication becomes
important). From the web page I can't even tell if FreeIPA has feature
parity with the above combination in terms of what I could do with it.
I can see there are some things that FreeIPA supports that I _can't_
do with the above, but unfortunately none of those things matters to
me (if I had a larger install it would, though).
Primarily it is about providing a pre-integrated solution of the
various apps it bundles. In particular Kerberos, LDAP and FreeRadius.
This takes the pain out of setting up & configuring all the apps to
talk to each other. So as an admin you just need to yum install the
software (or equivalent) and then run the setup script which prompts
for the name of the realm, DNS domain name and admin password. Every
thing else is then configured based on this info. For admins not already
familiar with Kerberos & LDAP administration this is a very big win
making installation order of magnitude easier. I managed to get it
up & running about 30 minutes with zero prior knowledge of Kerberos
admin.
Post by Vidar Hokstad
More specifically, I noticed Debian-based distro's were noticeably
absent from the client installation docs, and the docs that are there
seems to say very little about what the client installation actually
covers (in terms of what applications will actually be able to use the
ipa client support). Any plans for Debian support on the client, or at
least some info on what needs to be in place?
The client tools are focused on making it easier to configure a machine
to use Kerberos/LDAP services for authentication, and fetching of service
principles for servers which need them. As such the client tools are
optional - you can still manually configure /etc/krb5.conf and similar
files if desired - its just standard kerberos & ldap after all.

The IPA development is primary done on Fedora since most of the developers
are working for Red Hat, but the code/tools themselves should work on any
Linux distro if the software pre-requisite versions are met. There may be
people packaging for Debian, but you'd have to ask on the IPA mailing list
about that, since I'm not up2date on that development.
Post by Vidar Hokstad
When setting up OpenLDAP here, the biggest problems we ran into was
not the server, by the way, but getting all the different apps we use
that rely on identity and authorization to actually use PAM or the
LDAP server instead of a myriad of other authentication methods. That
included building a number of new packages and a ton of updates, and
assorted random breakage (our mail server suddenly decided it needed
an existing home directory to deliver mail to the users after we made
it use LDAP to check for the existence of a user account instead of
it's own table, for example) that took a while to sort through. That's
something I really hope most/all distro's put more effort into
improving...
I'd really like to hear more about what the actual benefits of FreeIPA
are, though... At the moment just getting most apps here reconfigured
to use LDAP is/will be a huge improvement, but anything that makes
managing the whole thing less painful is very attractive..
Ease of deployment & initial configuration of the server, ease of client
configuration, and consistent ongoing management are all core goals and
benefits of the IPA project. It is a young project, only at version 1.0
though so it obviously hasn't solved all the problems just yet :-) It has
been moving forward very quickly in the 6 months I've been using the
pre-releases...

Dan.
--
|: http://berrange.com/ -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/ -o- http://gtk-vnc.sourceforge.net :|
Richard Cottrill
2008-05-08 15:31:12 UTC
Permalink
Thanks to all and sundry for their contributions. I'll check out FreeIPA
right away.

Richard

Continue reading on narkive:
Loading...